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Abstract. Despite decades of research, there are still a number of concepts com- 
monly found in software programs that are considered challenging for verifica- 
tion: among others, such concepts include concurrency, and the compositional 
analysis of programs with procedures. As a promising direction to overcome such 
difficulties, recently the use of Horn constraints as intermediate representation of 
software programs has been proposed. Horn constraints are related to Craig inter- 
polation, which is one of the main techniques used to construct and refine abstrac- 
tions in verification, and to synthesise inductive loop invariants. We give a survey 
of the different forms of Craig interpolation found in literature, and show that all 
of them correspond to natural fragments of (recursion-free) Horn constraints. We 
also discuss techniques for solving systems of recursion-free Horn constraints. 

1 Introduction 

Predicate abstraction [13] has emerged as a prominent and effective way for model 
checking software systems. A key ingredient in predicate abstraction is analyzing the 
spurious counter-examples to refine abstractions [4]. The refinement problem saw a 
significant progress when Craig interpolants extracted from unsatisfiability proofs were 
used as relevant predicates [18]. While interpolation has enjoyed a significant progress 
for various logical constraints [6-8, 21], there have been substantial proposals for more 
general forms of interpolation [1, 17,21]. 

As a promising direction to extend the reach of automated verification methods to 
programs with procedures, and concurrent programs, among others, recently the use 
of Horn constraints as intermediate representation has been proposed [14, 15,25]. This 
report examines the relationship between various forms of Craig interpolation and syn- 
tactically defined fragments of recursion-free Horn clauses. We systematically exam- 
ine binary interpolation, inductive interpolant sequences, tree interpolants, restricted 
DAG interpolants, and disjunctive interpolants, and show the recursion-free Horn clause 
problems to which they correspond. We present algorithms for solving each of these 
classes of problems by reduction to elementary interpolation problems. We also give 
a taxonomy of the various interpolation problems, and the corresponding systems of 
Horn clauses, in terms of their computational complexity. 



2 Related Work 



The use of Horn clauses as intermediate representation for verification was proposed in 
[26]. The authors is [15] use Horn clauses for verification of multi-threaded programs. 
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The underlying procedure for solving sets of recursion-free Horn clauses, over the com- 
bined theory of linear integer arithmetic and uninterpreted functions, was presented 
in [16]. A range of further applications of Horn clauses, including inter-procedural 
model checking, was given in [14]. Horn clauses are also proposed as intermediate/ex- 
change format for verification problems in [5], and are natively supported by the SMT 
solver Z3 [10]. 

There is a long line of research on Craig interpolation methods, and generalised 
forms of interpolation, tailored to verification. For an overview of interpolation in the 
presence of theories, we refer the reader to [7, 8]. Binary Craig interpolation for impli- 
cations A — » C goes back to [9], was carried over to conjunctions A A B in [22], and 
generalised to inductive sequences of interpolants in [18,24]. The concept of tree in- 
terpolation, strictly generalising inductive sequences of interpolants, is presented in the 
documentation of the interpolation engine iZ3 [21]; the computation of tree interpolants 
by computing a sequence of binary interpolants is also described in [17]. Restricted 
DAG interpolants [1] and disjunctive interpolants [27] are a further generalisation of 
inductive sequences of interpolants, designed to enable the simultaneous analysis of 
multiple counterexamples or program paths. 

The use of Craig interpolation for solving Horn clauses is discussed in [25], con- 
centrating on the case of tree interpolation. Our paper extends this work by giving a 
systematic study of the relationship between different forms of Craig interpolation and 
Horn clauses, as well as general results about solvability and computational complexity, 
independent of any particular calculus used to perform interpolation. 

Inter-procedural software model checking with interpolants has been an active 
area of research for the last decade. In the context of predicate abstraction, it has been 
discussed how well-scoped invariants can be inferred [18] in the presence of function 
calls. Based on the concept of Horn clauses, a predicate abstraction-based algorithm for 
bottom-up construction of function summaries was presented in [14]. Generalisations 
of the Impact algorithm [24] to programs with procedures are given in [17] (formulated 
using nested word automata) and [2]. Finally, function summaries generated using in- 
terpolants have also been used to speed up bounded model checking [28]. 

Several other tools handle procedures by increasingly inlining and performing under 
and/or over-approximation [19, 29, 30], but without the use of interpolation techniques. 

3 Example 

We start with an example illustrating the use of Horn clauses to verify a recursive pro- 
gram. Fig. 1 shows an example of a recursive program, which is encoded as a set of 
(recursive) Horn constraints in Fig. 2. The function £ recursively computes the incre- 
ment of the argument n by 1 . 

For translation to Horn clauses we assign an uninterpreted relation symbol ri to 
each state q t of the control flow graph. The arguments of the relation symbol ri act as 
placeholders of the visible variables in the state q t . The relation symbol rf corresponds 
to the summary of the function £. In the relation symbol rf we do not include the local 
variable tmp in the arguments since it is invisible from outside the function £. The first 
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def f(n : Int) 

returns rec : Int 

if (n >0) { 

tmp = f(n-1) 

rec = tmp + 1 
I else j 

rec = 1 

) 

) 

def main() { 
var res : Int 
havoc (x: Int > 0) 

res = f(x) 

assert(res == x + 1) 

) 

Fig. 1. A recursive program and its control flow graph (see Sect. 3). 

(1) M(X, Res) «- true 

(2) r2(X\ Res) «- r1 (X, Res) A X' > 

(3) r3(X, Res') <- r2(X, Res) A rf(X, Res') 

(4) r4(X, Res) «- r3(X, Res) A Res = X + 1 

(5) false «- r3(X, Res) a Res * X + 1 

(6) r5(N, Rec, Tmp) «- true 

(7) r6(N, Rec, Tmp) <- r5(N, Rec, Tmp) A N > 

(8) r7(N, Rec, Tmp') «- r6(N, Rec, Tmp) A rf(N - 1 , Tmp') 

(9) r8(N, Rec, Tmp) <- r5(N, Rec, Tmp) A N < 

(10) r9(N, Rec', Tmp) <- r7(N, Rec, Tmp) A Rec' = Tmp + 1 

(11) r9(N, Rec', Tmp) <- r8(N, Rec, Tmp) A Rec' = 1 

(12) rf(N, Rec) <- r9(N, Rec, Tmp) 

Fig. 2. The encoding of the program in Fig. 1 into a set of recursive Horn clauses. 



argument of rf is the input and the second one is the output. We do not dedicate any 
relation symbol to the error state e. 

The initial states of the functions are not constrained at the beginning; they are just 
implied by true. The clause that has false as its head corresponds to the assertion in the 
program. In order to satisfy the assertion with the head false, the body of the clause 
should also be evaluated to false. We put the condition leading to error in the body of 
this clause to ensure the error condition is not happening. The rest of the clauses are 
one to one translation of the edges in the control flow graph. 

For the edges with no function calls we merely relate the variables in the previous 
state to the variables in the next state using the transfer functions on the edges. For 
example, the clause (2) expresses that res is kept unchanged in the transition from q\ to 
<72 and the value of x is greater than or equal to in qi- For the edges with function call 
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r\ (x, res) 




true 




r^ix, res) 




x > 




r 3 (x, res) 




res = x + 1 




r 4 (x, res) 




true 




r 5 (n,rec,tmp) 




true 




rs(n, rec, tmp) 




n > 1 




n(n, rec, tmp) 




n = tmp 




rg(n,rec,tmp) 




n<0 




r 9 (n,rec,tmp) 




rec = n+ lV(n<0A rec = 


1) 


r f (n, rec) 




rec = n+ lV(n<0A rec = 


1) 



Fig. 3. Syntactic solution of the Horn clauses in Fig. 2. 



we should also take care of the passing arguments and the return values. For example, 
the clause (3) corresponds to the edge containing a function call from qi to q^. This 
clause sets the value of res in the state qj, to the return value of the function f. Note 
that the only clauses in this example that have more than one relation symbols in the 
body are the ones related to edges with function calls. 

The solution of the obtained system of Horn clauses demonstrates the correctness 
of the program. In a solution each relation symbol is mapped to an expression over 
its arguments. If we replace the relation symbols in the clauses by the expressions in 
the solution we should obtain only valid clauses. In a system with a genuine path to 
error we cannot find any solution to the system since we have no way to satisfy the 
assertion clause. Fig. 3 gives one possible solution of the Horn clauses in terms of 
concrete formulae, found by our verification tool Eldarica. 3 

This paper discusses techniques to automatically construct solutions of Horn clauses. 
Although the Horn clauses encoding programs are typically recursive, it has been ob- 
served that the case of recursion-free Horn clauses is instrumental for constructing ver- 
ification procedures operating on Horn clauses [14, 15,25]. Sets of recursion-free Horn 
clauses are usually extracted from recursive clauses by means of finite unwinding; ex- 
amples are given in Sect. 5.3 and 5.5. 

4 Formulae and Horn Clauses 

Constraint languages. Throughout this paper, we assume that a first-order vocabulary 
of interpreted symbols has been fixed, consisting of a set T of fixed-arity function 
symbols, and a set V of fixed-arity predicate symbols. Interpretation of T and V is 
determined by a class S of structures (U, I) consisting of non-empty universe U, and 
a mapping / that assigns to each function in T a set-theoretic function over U, and 
to each predicate in V a set-theoretic relation over U. As a convention, we assume 



3 http://lara.epfl. ch/w/eldarica 
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the presence of an equation symbol "=" in P, with the usual interpretation. Given a 
countably infinite set X of variables, a constraint language is a set Constr of first- 
order formulae over T , P, X For example, the language of quantifier-free Presburger 
arithmetic has T ={+,-, 0, 1, 2, . . .} and P = {=, <, |}). 

A constraint is called satisfiable if it holds for some structure in S and some as- 
signment of the variables X, otherwise unsatisfiable. We say that a set r c Constr of 
constraints entails a constraint <p e Constr if every structure and variable assignment 
that satisfies all constraints in r also satisfies <p; this is denoted by r \= (p. 

Jv(<f>) denotes the set of free variables in constraint (p. We write <p[x\, . . . , x n ] to state 
that a constraint contains (only) the free variables x\, . . . , x n , and <f>[t\, . . . , t„] for the 
result of substituting the terms t\, . . . , t„ for x\, . . . , x n . Given a constraint <p containing 
the free variables x\, . . . , x„, we write C7y(0) for the universal closure Vxi, . . . , x n .$. 

Craig interpolation is the main technique used to construct and refine abstractions in 
software model checking. A binary interpolation problem is a conjunction A A B of 
constraints. A Craig interpolant is a constraint / such that A |= / and B \= ->/, and 
such that fv(I) c fv(A) n Jv(B). The existence of an interpolant implies that A A B is 
unsatisfiable. We say that a constraint language has the interpolation property if also 
the opposite holds: whenever A A B is unsatisfiable, there is an interpolant /. 

4.1 Horn Clauses 

To define the concept of Horn clauses, we fix a set K of uninterpreted fixed-arity relation 
symbols, disjoint from V and T. A Horn clause is a formula C A B\ A • • • A B n — » H 
where 

- C is a constraint over T, P, X; 

- each Bi is an application p{t\, . . . , tk) of a relation symbol p € ft to first-order terms 
over T, X; 

- H is similarly either an application p{t\ , ... ,tk) of p e K to first-order terms, or is 
the constraint false. 

H is called the head of the clause, C A B i A • • • A B„ the fooefy. In case C = true, we usually 
leave out C and just write B\ A • • • A B n — > H. First-order variables (from X) in a clause 
are considered implicitly universally quantified; relation symbols represent set-theoretic 
relations over the universe U of a structure ( U, I) e S. Notions like (un)satisfiability and 
entailment generalise straightforwardly to formulae with relation symbols. 

A relation symbol assignment is a mapping sol : H — > Constr that maps each n-ary 
relation symbol p e ft to a constraint sol(p) = C p [x\, . . . , x„] with n free variables. The 
instantiation sol(h) of a Horn clause h is defined by: 

sol(C A pi(Fi) A • • • A p n (t n ) -> p(f)) = C A sol( Pl )[ti] A • • • A so/(p„)[F B ] -> so/(p)[FJ 
sol(C A pi(Fi) A • • • A p„(F„) — > /oLse) = C A so/(/>i)[Fi] A • • • A so/(/?„)[F„] — > /aZie 

Definition 1 (Solvability). Let HC be a set of Horn clauses over relation symbols ft. 
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Form of interpolation 


Fragment of Horn clauses 




Binary interpolation [9, 22] 
A AS 


Pair of Horn clauses 

A —> p(x), B A p(x) -> false with {x] 


= /v(A)n/V(B) 


Inductive interpolant seq. [18,24] 
Ti A T 2 A • • ■ A T n 


Linear tree-like Horn clauses 

T\ —> Pi(x{), Pi(x 1 )AT 2 ^>p 2 (x 2 ), 

with(x,}=>(r 1 ,...,r,)n^r, +1 ,... 


,r„) 


Tree interpolants [17,21] 


Tree-like Horn clauses 




Restricted DAG interpolants [1] 


Linear Horn clauses 




Disjunctive interpolants [27] 


Body disjoint Horn clauses 





Table 1. Equivalence of interpolation problems and systems of Horn clauses. 



1. 'HC is called semantically solvable if for every structure (U,I) £ S there is an 
interpretation of the relation symbols "R as set-theoretic relations over U such the 
universally quantified closure Cl\/(h) of every clause h e 'HC holds in (U,I). 

2. A 'HC is called syntactically solvable if there is a relation symbol assignment sol 
such that for every structure (U,I)eS and every clause h e "HC it is the case that 
Cl\/(sol(h)) is satisfied. 

Note that, in the special case when S contains only one structure, S = {([/,/)}, 
semantic solvability reduces to the existence of relations interpreting % that extend the 
structure (U, I) in such a way to make all clauses true. In other words, Horn clauses 
are solvable in a structure if and only if the extension of the theory of (U, I) by relation 
symbols % in the vocabulary and by given Horn clauses as axioms is consistent. 

A set IfC of Horn clauses induces a dependence relation — on %, defining 
P -^"HC 1 if there is a Horn clause in IfC that contains p in its head, and q in the 
body. The set "HC is called recursion-free if — »<hc is acyclic, and recursive otherwise. 
In the next sections we study the solvability problem for recursion-free Horn clauses 
and then show how to use such results in general Horn clause verification systems. 

5 Generalised Forms of Craig Interpolation 

It has become common to work with generalised forms of Craig interpolation, such as 
inductive sequences of interpolants, tree interpolants, and restricted DAG interpolants. 
We show that a variety of such interpolation approaches can be reduced to recursion- 
free Horn clauses. Recursion-free Horn clauses thus provide a general framework uni- 
fying and subsuming a number of earlier notions. As a side effect, we can formulate 
a general theorem about existence of the individual kinds of interpolants in Sect. 6, 
applicable to any constraint language with the (binary) interpolation property. 

An overview of the relationship between specific forms of interpolation and specific 
fragments of recursions-free Horn clauses is given in Table 1, and will be explained in 
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more detail in the rest of this section. Table 1 refers to the following fragments of 
recursion-free Horn clauses: 

Definition 2 (Horn clause fragments). We say that a finite, recursion-free set "HC of 
Horn clauses 

1. is linear if the body of each Horn clause contains at most one relation symbol, 

2. is body-disjoint if for each relation symbol p there is at most one clause containing 
p in its body; furthermore, every clause contains p at most once; 

3. is head-disjoint if for each relation symbol p there is at most one clause containing 
p in its head; 

4. is tree-like [16] if it is body-disjoint and head-disjoint. 

Theorem 1 (Interpolation and Horn clauses). For each line of Table 1 it holds that: 

1. an interpolation problem of the stated form can be polynomially reduced to (syn- 
tactically) solving a set of Horn clauses, in the stated fragment; 

2. solving a set of Horn clauses (syntactically) in the stated fragment can be polyno- 
mially reduced to solving a sequence of interpolation problems of the stated form. 

5.1 Binary Craig Interpolants [9,22] 

The simplest form of Craig interpolation is the derivation of a constraint 7 such that A |= 
/ and 7 |= ->B, and such that fv(I) c fv(A)nfv(B). Such derivation is typically constructed 
by efficiently processing the proof of unsatisfiability of A A B. To encode a binary 
interpolation problem into Horn clauses, we first determine the set x = fv(A) n fv(B) of 
variables that can possibly occur in the interpolant. We then pick a relation symbol p of 
arity \x\, and define two Horn clauses expressing that p(x) is an interpolant: 

A — > p(x), B A p(x) — > false 

It is clear that every syntactic solution for the two Horn clauses corresponds to an inter- 
polant of A A B. 

5.2 Inductive Sequences of Interpolants [18, 24] 

Given an unsatisfiable conjunction T\ A ... A T n (in practice, often corresponding 
to an infeasible path in a program), an inductive sequence of interpolants is a se- 
quence 7 , h, ...,/„ of formulae such that 

1. Io — true, l n — false, 

2. for all i e {1, ... ,n}, the entailment 7,_i A T 1 , |= 7, holds, and 

3. for all i e {0, . . . , n], it is the case that fv(h) c fv(T u . . . , 7/,) n fv(T i+ \, T„). 

While inductive sequences can be computed by repeated computation of binary inter- 
polants [18], more efficient solvers have been developed that derive a whole sequence 
of interpolants simultaneously [7, 8, 21]. 
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Inductive sequences as linear tree-like Horn clauses. An inductive sequence of inter- 
polants can straightforwardly be encoded as a set of linear Horn clauses, by introducing 
a fresh relation symbol p t for each interpolant /, to be computed. The arguments of the 
relation symbols have to be chosen reflecting condition 3 of the definition of interpolant 
sequences: for each ;' e {0, . . . , n], we assume that x, = fv{T\ , . . . , T,) n fv(T i+ \, ...,T n ) 
is the vector of variables that can occur in /,. Conditions 1 and 2 are then represented 
by the following Horn clauses: 

po(x ), po(xo) A Ti -> pi(xi), pi(xi) A T 2 -> p 2 (x 2 ), p n (x„) -» false 

Linear tree-like Horn clauses as inductive sequences. Suppose "J-fC is a finite, recursion- 
free, linear, and tree-like set of Horn clauses. We can solve the system of Horn clauses 
by computing one inductive sequence of interpolants for every connected component of 
the — »^ c -graph. First, each clause is normalised in a manner similar to [14]: for every 
relation symbol p, we fix a unique vector of variables x p , and rewrite 'HC such that 
p only occurs in the form p(x p ); this is possible since 7-fC is recursion-free and body- 
disjoint. We then ensure, through renaming, that every variable x that is not argument of 
a relation symbol occurs in at most one clause. A connected component then represents 
Horn clauses 

Ci -» pi(xi), C 2 Api(xi) -» p 2 (x 2 ), C 3 Ap 2 (x 2 ) -> p 3 (x 3 ), C n Ap n (x n ) -> false . 

(If the first or the last of the clauses is missing, we assume that its constraint is false.) 
Any inductive sequence of interpolants for Ci A C 2 A C3 A • • • A C„ solves the clauses. 

5.3 Tree Interpolants [17, 21] 

Tree interpolants strictly generalise inductive sequences of interpolants, and are de- 
signed with the application of inter-procedural verification in mind: in this context, the 
tree structure of the interpolation problem corresponds to (a part of) the call graph of 
a program. Tree interpolation problems correspond to recursion-free tree-like sets of 
Horn clauses. 

Suppose (V, E) is a finite directed tree, writing E(v, w) to express that the node w 
is a direct child of v. Further, suppose <f> : V — > Constr is a function that labels each 
node v of the tree with a formula <f>(v). A labelling function / : V — > Constr is called a 
tree interpolant (for (V, E) and </>) if the following properties hold: 

1. for the root node vo e V, it is the case that /(vo) - false, 

2. for any node v e V, the following entailment holds: 

(j>{v) A /\ I(w) \= /(V) , 

(v,w)eE 

3. for any node v e V, every non-logical symbol (in our case: variable) in I(v) occurs 
both in some formula <f>(w) for w such that E*(v, w), and in some formula <f>(w') for 
some w' such that -i£"*(v, w'). (E* is the reflexive transitive closure of E). 
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Since the case of tree interpolants is instructive for solving recursion-free sets of 
Horn clauses in general, we give a result about the existence of tree interpolants. The 
proof of the lemma computes tree interpolants by repeated derivation of binary inter- 
polants; however, as for inductive sequences of interpolants, there are solvers that can 
compute all formulae of a tree interpolant simultaneously [15, 16,21]. 

Lemma 1. Suppose the constraint language Constr that has the interpolation property. 
Then a tree (V, E) with labelling function (p : V — > Constr has a tree interpolant I if and 
only if Avev 0( v ) ' s unsatisfiable. 

Proof. "=>" follows from the observation that every interpolant /(v) is a consequence 
of the conjunction A(y,w)e£+ <f>( w )- 

"<=": let v\, V2, . . . , v„ be an inverse topological ordering of the nodes in (V, E), i.e., 
an ordering such that Vz, (2?(v,-, vj) => i > j). We inductively construct a sequence of 
formulae /„, such that for every i e {1, . . . ,n) the following properties hold: 

1. the following conjunction is unsatisfiable: 

l\{I k \k<i, Vj. (E( Vj , v k ) ^j> i)} A ((f>(v M ) A 0(v i+2 ) A • • • A 4>(v n )) (1) 

2. the following entailment holds: 

tfVi) A /\ Ij \= h 

(? h Vj)€E 

3. every non-logical symbol in occurs both in a formula 4>(w) with E*(vj, w), and in 
a formula 4>(w') with -i£'*(v;, w'). 

Assume that the formulae I\ , I2, . . . , U have been constructed, for ; € {0, . . . , n — 1 j. 
We then derive the next interpolant by solving the binary interpolation problem 

(<p(v i+1 )A /\ Ij) A 

E(v i+i ,vj) 

( f\{h \k<i, Vj. (E(vj, vjt) =* j > i + 1)} A cf>(v i+2 ) A • • • A 0(v„)) (2) 
That is, we construct so that the following entailments hold: 
0(v i+ l)A f\ Ij |= 

£(v,+l,Vj) 

f\{I k \k<i, V/. (E( Vj , v k ) => j > / + 1)} A 0(v i+2 ) A • • • A 0(v„) |= -./, +] 

Furthermore, only contains non-logical symbols that are common to the left and the 
right side of the conjunction. 

Note that (2) is equivalent to (1), therefore unsatisfiable, and a well-formed interpo- 
lation problem. It is also easy to see that the properties 1-3 hold for Also, we can 
easily verify that the labelling function / : v, h-> /, is a solution for the tree interpolation 
problem defined by (V, E) and (p. □ 
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Tree interpolation as tree-like Horn clauses. The encoding of a tree interpolation prob- 
lem as a tree-like set of Horn clauses is very similar to the encoding for inductive se- 
quences of interpolants. We introduce a fresh relation symbol p v for each node v e V 
of a tree interpolation problem (V, E), (p, assuming that for each v € V the vector x v = 
Ue*(v,w)/H0( w )) n U-.£*(v,w)/H0( w )) represents the set of variables that can occur in the 
interpolant /(v). The interpolation problem is then represented by the following clauses: 



Tree-like Horn clauses as tree interpolation. Suppose f{C is a finite, recursion-free, and 
tree-like set of Horn clauses. We can solve the system of Horn clauses by computing 
a tree interpolant for every connected component of the -> wc -graph. As before, we 
first normalise the Horn clauses by fixing, for every relation symbol p, a unique vector 
of variables x p , and rewriting *HC such that p only occurs in the form p(x p ). We also 
ensure that every variable x that is not argument of a relation symbol occurs in at most 
one clause. The tree interpolation graph (V, E) is then defined by choosing the set V = 
K U {false} of relation symbols as nodes, and the child relation E(p, q) to hold whenever 
p occurs as head, and q within the body of a clause. The labelling function <f> is defined 
by (pip) = C whenever there is a clause with head symbol p and constraint C, and 
(pip) = false if p does not occur as head of any clause. 

Example 1. We consider a subset of the Horn clauses given in Fig. 2: 

(1) r1(X, Res) <- true 

(2) r2(X', Res) <- r1 (X, Res) A X' > 

(3) r3(X, Res') <- r2(X, Res) A rf(X, Res') 

(5) false <- r3(X, Res) a Res * X + 1 

(6) r5(N, Rec, Tmp) <- true 

(9) r8(N, Rec, Tmp) <- r5(N, Rec, Tmp) A N < 

(11) r9(N, Rec', Tmp) <- r8(N, Rec, Tmp) A Rec' = 1 

(12) rf(N, Rec) <- r9(N, Rec, Tmp) 

Note that this recursion-free subset of the clauses is body-disjoint and head-disjoint, 
and thus tree-like. Since the complete set of clauses in Fig. 2 is solvable, also any subset 
is; in order to compute a (syntactic) solution of the clauses, we set up the corresponding 
tree interpolation problem. Fig. 4 shows the tree with the labelling <p to be interpolated 
(in grey), as well as the head literals of the clauses generating the nodes of the tree. A 
tree interpolant solving the interpolation problem is given in Fig. 5. The tree interpolant 
can straightforwardly be mapped to a solution of the original tree-like Horn, for instance 
we set r$in%, rec%, tmp & ) = («g < 0) and rging, recg, tmp 9 ) = ing < -1 V irecg = 1 Ang = 



Symmetric Interpolants A special case of tree interpolants, symmetric interpolants, 
was introduced in [23]. Symmetric interpolants are equivalent to tree interpolants with 
a flat tree structure (V, E), i.e., V = {root, v\, . . . , v„), where the nodes v\, . . . , v n are the 
direct children of root. 




(v,w)eE 



0)). 
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r»(n t ,rec s ,tmp % ): 
n$ = ns A «8 5: A recg = rec$ A tmp s = tmp 5 



r x (x u res x ): r 9 (n 9 , rec 9 , tmp 9 ): 




r 3 (x 3 ,res 3 ): 
x 3 = x 2 A x 3 = n f A res 3 = reef 



false: 




Fig. 4. Tree interpolation problem for the clauses in Example 1 
5.4 Restricted (and Unrestricted) DAG Interpolants [1] 

Restricted DAG interpolants are a further generalisation of inductive sequence of inter- 
polants, introduced for the purpose of reasoning about multiple paths in a program si- 
multaneously [1]. Suppose (V, E, en, ex) is a finite connected DAG with entry node en e 
V and exit node ex e V, further X.e ■ E — > Constr a labelling of edges with constraints, 
and Xv : V — > Constr a labelling of vertices. A restricted DAG interpolant is a mapping 
/ : V — » Constr with 

1 . I(en) — true, /(ex) = false, 

2. for all (v, w) e E the entailment /(v) A Xv(v) A £,e(v, w) |= Iiw) A Xv(vv) holds, and 

3. for all v E V it is the case that 4 

Mm) £ ( |J M-C E (a,v)))n( (J fv(-C E (v,a))). 

(a,v)eE (v,a)eE 

The UFO verification system [3] is able to compute DAG interpolants, based on 
the interpolation functionality of MathSAT [8]. We can observe that DAG interpolants 
(despite their name) are incomparable in expressiveness to tree interpolation. This is 

4 The definition of DAG interpolants in [1, Def. 4] implies that/v(/(v)) = for every inter- 
polant /(v), v e V, i.e., only trivial interpolants are allowed. We assume that this is a mistake 
in [1, Def. 4], and corrected the definition as shown here. 
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true 

n 9 < - 1 V (recg = 1 A n g = 0) 
x 2 > »/ < -1 V (recy = 1 A n f = 0) 




re.s'3 = x 3 + 1 



Fig. 5. Tree interpolant solving the interpolation problem in Fig. 4 

because DAG interpolants correspond to linear Horn clauses, and might have shared 
relation symbol in bodies, while tree interpolants correspond to possibly nonlinear tree- 
like Horn clauses, but do not allow shared relation symbols in bodies. Nevertheless, it 
is possible to reduce DAG interpolants to tree interpolants, but only at the cost of a 
potentially exponential growth in the number of clauses. 

Encoding of restricted DAG interpolants as linear Horn clauses. For every v e V, let 
fe) = ( U M-C E (a,v)))n( (J /v(£ £ (v,a))) 

(a,v)EE (v,a)eE 

be the variables allowed in the interpolant to be computed for v, and p v be a fresh 
relation symbol of arity \x v \. The interpolation problem is then defined by the following 
set of linear Horn clauses: 

For each (v, w) e E: -£y(v) A £ £ (v, w) A p^) -> p w {x w ), 

-Cv(v) A -iXv(w) A £ E (v, w) a p v (x v ) -> false, 
For en, ex e V: true — > p e „(x en ), p e x{x ex ) — > false 

Encoding of linear Horn clauses as DAG interpolants. Suppose "KC is a finite, recursion- 
free, and linear set of Horn clauses. We can solve the system of Horn clauses by com- 
puting a DAG interpolant for every connected component of the — >^c _ g ra ph. As in 
Sect. 5.2, we normalise Horn clauses by fixing a unique vector x p of argument vari- 
ables for each relation symbol p, and ensure that every non-argument variable x occurs 
in at most one clause. We also assume that multiple clauses C A p(x p ) — > q{x q ) and 
D A p(xp) — > q(x q ) with the same relation symbols are merged to (C V D) A p(x p ) — > 
<?(%>• 
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Let [p i , . . . , p„ } be all relation symbols of one connected component. We then define 
the DAG interpolation problem (V, E, en, ex), JLe, -Cv by 

- the vertices V = {p\ ,...,p„) U [en, ex}, including two fresh nodes en, ex, 

- the edge relation 

E = l(p, q) | there is a clause C A p(x p ) — > q(x q ) e *HC] 
U {(en, p) | there is a clause D — > p(x p ) e "HQ 
U {(p, ex) | there is a clause E A p(x p ) — > /aZse e "HQ , 



- for each (v, w) e E, the edge labelling 
-£ £ (v,w) = 



C A x v = x v A x w — x w if C A v(x v ) — > w(x w ) € "KC 
DAi» = i„ if v = en and D — > w(x w ) € *HC 

E Ax v — x v if w = ex and E A v(x v ) — > /a/ie e 



Note that the labels include equations like x v = x v to ensure that the right variables 
are allowed to occur in interpolants. 
- for each v e V, the node labelling -£y(v) = true. 

By checking the definition of DAG interpolants, it can be verified that every interpolant 
solving the problem (V, E, en, ex), £ E , -Cv is also a solution of the linear Horn clauses. 



5.5 Disjunctive Interpolants [27] 

Disjunctive interpolants were introduced in [27] as a generalisation of tree interpolants. 
Disjunctive interpolants resemble tree interpolants in the sense that the relationship of 
the components of an interpolant is defined by a tree; in contrast to tree interpolants, 
however, this tree is an and/or-tree: branching in the tree can represent either conjunc- 
tions or disjunctions. Disjunctive interpolants correspond to sets of body-disjoint Horn 
clauses; in this representation, and-branching is encoded by clauses with multiple body 
literals (like with tree interpolants), while or-branching is interpreted as multiple clauses 
sharing the same head symbol. For a detailed account on disjunctive interpolants, we 
refer the reader to [27]. 

The solution of body-disjoint Horn clauses can be computed by solving a sequence 
of tree-like sets of Horn clauses: 

Lemma 2. Let 'HC be a finite set of recursion-free body-disjoint Horn clauses. HC 
has a syntactic/semantic solution if and only if every maximum tree-like subset ofHC 
has a syntactic/semantic solution. 

Proof. We outline direction "<=" for syntactic solutions. Solving the tree-like subsets of 
HC yields, for each relation symbol p e %, a set SC P of solution constraints. A global 
solution of HC can be constructed by forming a positive Boolean combination of the 
constraints in SC P for each p e H. □ 
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Example 2. We consider a recursion-free unwinding of the Horn clauses in Fig. 2. To 
make the set of clauses body-disjoint, the clause (6), (9), (11), (12) were duplicated, 
introducing primed copies of all relation symbols involved. The clauses are not head- 
disjoint, since (10) and (11) share the same head symbol: 

(1) M(X, Res) <- true 

(2) r2(X', Res) <- r1 (X, Res) A X' > 

(3) r3(X, Res') «- r2(X, Res) A rf(X, Res') 

(5) false «- r3(X, Res) A Res * X + 1 

(6) r5(N, Rec, Tmp) «- true 

(7) r6(N, Rec, Tmp) <- r5(N, Rec, Tmp) A N > 

(8) r7(N, Rec, Tmp') «- r6(N, Rec, Tmp) A rf'(N - 1 , Tmp') 

(9) r8(N, Rec, Tmp) <- r5(N, Rec, Tmp) A N < 

(10) r9(N, Rec', Tmp) <- r7(N, Rec, Tmp) A Rec' = Tmp + 1 

(11) r9(N, Rec', Tmp) <- r8(N, Rec, Tmp) A Rec' = 1 

(12) rf (N, Rec) <- r9(N, Rec, Tmp) 

(6') r5'(N, Rec, Tmp) <- true 

(9') r8'(N, Rec, Tmp) <- r5'(N, Rec, Tmp) A N < 

(11') r9'(N, Rec', Tmp) <- r8'(N, Rec, Tmp) A Rec' = 1 

(12') rf'(N, Rec) <- r9'(N, Rec, Tmp) 

There are two maximum tree-like subsets: T\ = {(1), (2), (3), (5), (6), (9), (1 1), (12)}, 

and T 2 = {(1), (2), (3), (5), (6), (7), (8), (10), (12), (6'), (9'), (11'), (12'))- The subset T, 
has been discussed in Example 1 . In the same way, it is possible to construct a solution 
for T2 by solving a tree interpolation problem. The two solutions can be combined to 
construct a solution of T\ U T^: 
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true 






true 






'2 


[x, r) 


x > 






true 






x>0 






ri 


[x, r) 


r = x + 1 






r = x+l 






r = x+l 






r 5 


[n, c, t) 


true 






true 






true 






r 6 


[n, c, t) 








n > 1 






n > 1 








[n, c, t) 








t = n 






t = n 








[n, c, t) 


n<0 












n < 






'-9 


[n, c, t) 


n < -1 V (c = 


1 A n 


= 0) 


c = n + 1 






n < - 1 V c - 


= n + 1 




'7 


n, c) 


n < -1 V (c = 


1 An 


= 0) 


c = n + 1 






n < - 1 V c - 


-n+l 






[n, c, t) 








true 






true 








[n, c, t) 








n < 






n<0 






'•9 


[n, c, t) 
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= 0) 


n < - 1 V (c 
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= 0) 
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(n, c, t) 








n < -1 V (c = 
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= 0) 


n < - 1 V (c 


= 1 An 


= 0) 



In particular, the disjunction of the two interpretations of rg(n, c, t) has to be used, 
in order to satisfy both (10) and (11) (similarly for r/(n, c)). In contrast, the conjunction 
of the interpretations of ri(n, c, t) is needed to satisfy (3). 
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(Restricted) DAG interpolation"] 



Disjunctive interpolation 



I Tree interpolation"] 

, _» . 

I— Inductive interpolant sequences 



Binary interpolation 



Craig interpolation 



General recursion-free 




Recursion-free Horn clauses 



Fig. 6. Relationship between different forms of Craig interpolation, and different fragments of 
recursion-free Horn clauses. An arrow from A to B expresses that problem A is (strictly) sub- 
sumed by B. The complexity classes "co-NP" and "co-NEXPTIME" refer to the problem of 
checking solvability of Horn clauses over quantifier-free Presburger arithmetic. 



6 The Complexity of Recursion-free Horn Clauses 

We give an overview of the considered fragments of recursion -free Horn clauses, and 
the corresponding interpolation problem, in Fig. 6. The diagram also shows the com- 
plexity of deciding (semantic or syntactic) solvability of a set of Horn clauses, for Horn 
clauses over the constraint language of quantifier-free Presburger arithmetic. Most of 
the complexity results occur in [27], but in addition we use the following two observa- 
tions: 

Lemma 3. Semantic solvability of recursion-free linear Horn clauses over the con- 
straint language of quantifier-free Presburger arithmetic is in co-NP. 

Proof. A set of recursion-free linear Horn clauses is solvable if and only if the 
expansion expifHC) is unsatisfiable [27]. For linear clauses, expCHC) is a disjunction of 
(possibly) exponentially many formulae, each of which is linear in the size of expifHC). 
Consequently, satisfiability of expCHC) is in NP, and unsatisfiability in co-NP. □ 

Lemma 4. Semantic solvability of recursion-free head-disjoint Horn clauses over the 
constraint language of quantifier-free Presburger arithmetic is co-NEXPTIME-hard. 
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Proof. The proof given in [27] for co-NEXPTIME-hardness of recursion-free Horn 
clauses over quantifier-free Presburger arithmetic can be adapted to only require head- 
disjoint clauses. This is because a single execution step of a non-deterministic Turing 
machine can be expressed as quantifier-free Presburger formula. □ 

7 Beyond Recursion-free Horn Clauses 

It is natural to ask whether the considerations of the last sections also apply to clauses 
that are not Horn clauses (i.e., clauses that can contain multiple positive literals), pro- 
vided the clauses are "recursion-free." Is it possible, like for Horn clauses, to com- 
pute solutions of recursion-free clauses in general by means of computing Craig inter- 
polants? 

To investigate the situation for clauses that are not Horn, we first have to generalise 
the concept of clauses being recursion-free: the definition provided in Sect. 4, formu- 
lated with the help of the dependence relation — >^ c , only applies to Horn clauses. For 
non-Horn clauses, we instead choose to reason about the absence of infinite proposi- 
tional resolution derivations. Because the proposed algorithms [27] for solving recursion- 
free sets of Horn clauses all make use of exhaustive expansion or Mining, i.e., the con- 
struction of all derivations for a given set of clauses, the requirement that no infinite 
derivations exist is fundamental. 5 

Somewhat surprisingly, we observe that all sets of clauses without infinite deriva- 
tions have the shape of Horn clauses, up to renaming of relation symbols. This means 
that procedures handling Horn clauses cover all situations in which we can hope to 
compute solutions with the help of Craig interpolation. 

Since constraints and relation symbol arguments are irrelevant for this observation, 
the following results are entirely formulated on the level of propositional logic: 

- a propositional literal is either a Boolean variable p, q, r (positive literals), or the 
negation -*p, -*q, ->r of a Boolean variable (negative literals). 

- a propositional clause is a disjunction p V -<q V p of literals. The multiplicity of a 
literal is important, i.e., clauses could alternatively be represented as multi-sets of 
literals. 

- a Horn clause is a clause that contains at most one positive literal. 

- given a set 'HC of Horn clauses, we define the dependence relation — >«c on Boolean 
variables by setting p -^»hc 1 if an d only if there is a clause in 'HC in which p 
occurs positively, and q negatively (like in Sect. 4). The set 'HC is called recursion- 
free if -^><hc is acyclic. 

We can now generalise the notion of a set of clauses being "recursion-free" to non- 
Horn clauses: 

5 We do not take subsumption between clauses, or loops in derivations into account. This means 
that a set of clauses might give rise to infinite derivations even if the set of derived clauses is 
finite. It is conceivable that notions of subsumption, or more generally the application of ter- 
minating saturation strategies [12], can be used to identify more general fragments of clauses 
for which syntactic solutions can effectively be computed. This line of research is future work. 
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Definition 3. A set C ofpropositional clauses has the termination property if no infinite 
sequence Co, C\, C2, C3, . . . of clauses exists, such that 

- Co € C is an input clause, and 

- for each i > 1, the clause c; is derived by means of binary resolution from c,_i and 
an input clause, using the rule 

C V p D V -7? 

cVd ' 

Lemma 5. A finite set HC of Horn clauses has the termination property if and only if 
it is recursion-free. 

Proof. "<=" The acyclic dependence relation — >^ c induces a strict well-founded or- 
der < on Boolean variables: q -><hc P implies p < q. The order < induces a well- 
founded order «: on Horn clauses: 

(p V C) <SC (q V D) <=> p > q or (p = q and C < ms D) 
C«(gVD) <=> true 

C <K D <=> C < ms D 

where C, D only contain negative literals, and < ms is the (well-founded) multi-set ex- 
tension of < [1 1]. 

It is easy to see that a clause Cv D derived from two Horn clauses C V p and Dv -*p 
using the resolution rule is again Horn, and (C V D) <K (C V p) and (Cvfl) <K (Dv -1/7). 
The well-foundedness of <K implies that any sequence of clauses as in Def. 3 is finite. 

"=>" If the dependence relation — >«c nas a cycle, we can directly construct a non- 
terminating sequence Co, c\, C2, . ■ . of clauses. □ 

Definition 4 (Renamable-Horn [20]). If A is a set of Boolean variables, and C is a 
set of clauses, then r A (C) is the result of replacing in C every literal whose Boolean 
variable is in A with its complement. C is called renamable-Horn if there is some set A 
of Boolean variables such that r^iC) is Horn. 

Theorem 2. If a finite set C of clauses has the termination property, then it is renamable- 
Horn. 

Proof. Suppose C is formulated over the (finite) set pi, pi, . . . , p n of Boolean variables. 
We construct a graph (V, E), with V = {p\,pi, ■ . .,/?„, -'Pi^pi, ■ • ■ , ~^Pn) being the set 
of all possible literals, and (I, I') e E if and only if there is a clause -1/ V /' V C € C (that 
means, a clause containing the literal I', and the literal / with reversed sign). 6 

The graph (V, E) is acyclic. To see this, suppose there is a cycle l m , l m+l = 

l\ in (V, E). Then there are clauses c x ,c 2 , ■ ■ ■ ,c m eC such that each c, contains the liter- 
als -iZ, and We can then construct an infinite sequence c\ = do, d\,di, ... of clauses, 
where each <f, (for i > 1) is obtained by resolving <f,_i with C(, mo( j m ) + i, contradicting the 
assumption that C has the termination property. 

6 This graph could equivalently be defined as the implication graph of the 2-sat problem intro- 
duced in [20], as a way of characterising whether a set of clauses is Horn. 
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Since (V,E) is acyclic, there is a strict total order < on V that is consistent with E, 
i.e., (/, /') e E implies / < /'. 

Claim: if p < -*p for every Boolean variable p e {p\,p2,..., p„), then C is Horn. 

Proof of the claim: suppose a non-Horn clause /?,- V pj V C e C exists (with ;' + f). 
Then (^pi,pj) e E and (^pj,pi) e E, and therefore — < pj and -ipj < p t . Then also 
-i/?, < /?, or -ipj < pj, contradicting the assumption that p < -^p for every Boolean 
variable p. 

In general, choose A = {/?,■ | i € {1, . . . ,«}, -i/?,- < /?, }, and consider the set ^(C) of 
clauses. The set r A (C) is Horn, since changing the sign of a Boolean variable p e A 
has the effect of swapping the nodes p,^p in the graph (V, E). Therefore, the new 
graph (V, E') has to be compatible with a strict total order < such that p < -^p for 
every Boolean variable p, satisfying the assumption of the claim above. □ 

Example 3. We consider the following set of clauses: 

C = ha V s, a V p V -ib, b V p V r, -./5 V q) 

By constructing all possible derivations, it can be shown that the set has the termination 
property. The graph (V, E), as constructed in the proof, is: 




A strict total order that is compatible with the graph is: 

-^s<-iq<-ir<-ia<^p<b<-ib<r<p<q<a<s 

From the order we can read off that we need to rename the variables A = {s, q, r, a, p) 
in order to obtain a set of Horn clauses: 

r A (C) = {a V -.5, -.a V p, -.p V -A, bv V ->r, pV -.#} 
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